How to route certain public traffic through private network

November 24, 2019 102 views
Firewall DigitalOcean Cloud Firewalls Networking Initial Server Setup

So I have three servers, all three of them have bidirectional communication with each peer but only two of them are on the same shared private network.

Server A - network 1 
   public ip = 168.11.111.111
   private ip = 10.11.111.111

Server B - network 1
    public ip = 168.22.222.222
    private ip = 10.22.222.222

Server C - network 2
    public ip = 168.33.333.333 

My application uses the public ip for binding sockets to, but I feel like it’s possible to use iptables to configure traffic to traverse through the private network for certain static IPS that are known to be in the same private network.

I did a ton of research about iptables, and I finally thought I came up with the correct scripts but I still can’t seem to get traffic to travel correctly.

So for my server a configuration I have

PRIVATE_A_IP=10.11.111.111
PUBLIC_A_IP=168.11.111.111

PRIVATE_B_IP=10.22.222.222
PUBLIC_B_IP=168.22.222.222

// redirect incoming packets for private ip to become input for public ip on the eth0 interface
iptables -t nat -A PREROUTING -d ${PRIVATE_A_IP} -i eth0 -j DNAT --to-destination ${PUBLIC_A_IP}

// redirect traffic meant for public b to be sent to private b on eth1 interface
iptables -t nat -A OUTPUT -d ${PUBLIC_B_IP} -o eth1 -j DNAT --to-destination ${PRIVATE_B_IP}

// change source of outgoing traffic to private b to say source is from private a, still eth1 interface
iptables -t nat -A POSTROUTING -d ${PRIVATE_B_IP} -o eth1 -j SNAT --to-source ${PRIVATE_A_IP}

then since it’s bidirectional i’d do the inverse for server b

iptables -t nat -A PREROUTING -d ${PRIVATE_B_IP} -i eth0 -j DNAT --to-destination ${PUBLIC_B_IP}
iptables -t nat -A OUTPUT -d ${PUBLIC_A_IP} -o eth1 -j DNAT --to-destination ${PRIVATE_A_IP}
iptables -t nat -A POSTROUTING -d ${PRIVATE_A_IP} -o eth1 -j SNAT --to-source ${PRIVATE_B_IP}

I’m pretty certain I’m doing this correct after researching NAT/iptables all weekend, is there something I’m missing?

Be the first one to answer this question.